Research Academy
My account Customers About Blog Careers Legal Contact Resellers
  1. Support Center
  2. BApp Store
  3. Passkey Raider

Professional Community

Passkey Raider

Download BApp

Passkey Raider is a Burp Suite extension designed to facilitate comprehensive testing of Passkey systems. It offers three core functionalities:

  • Decode and encode Passkey data in HTTP requests.
  • Automatically replace the public key in Passkey registration flows with a generated public key.
  • Automatically sign data in Passkey authentication flows using a generated private key.

Features

  • Extract Passkey Data: Seamlessly capture key Passkey components like clientDataJSON and signature.
  • Flexible Encoding: Support for URL-encoded, Base64, and Base64URL formats.
  • Comprehensive Data Types: Handle clientDataJSON, attestationObject, authenticatorData, and various attestation statements.
  • Key Pair Generation: Generate secure key pairs with multiple algorithms (RS256, ES256, EdDSA, and more).
  • Automated Testing: Auto-replace public keys and sign data in real-time during Passkey flows.
  • Project Integration: Save and load settings directly into Burp Suite project files.
  • Instant Request Highlighting: Automatically identify and highlight Passkey-related requests in Burp Suite's Proxy tool.

Usage

Passkey Raider includes two main components: Settings Page and Passkey Message Editor.

Settings Page

Configure Passkey settings such as URLs, regex patterns for extracting data, and generating key pairs before Passkey testing.

  • URLs: URLs of Passkey registration and authentication requests.
  • Regex: Regex patterns for extracting Passkey data from HTTP requests. Grouping in Regex (subpattern enclosed within parentheses) is required, as the extension will use the matched data in the group.
  • Encoding Formats: Select the encoding format for data:
    • URL Encoded: Check this box if data is URL encoded.
    • Base64: Select this option if data is in standard Base64 format.
    • Base64URL: Select this option if data is in Base64 URL-safe format.
  • Generated COSE Key: Generate or import a key pair for use in Passkey registration and authentication flows.
  • Algorithm: Choose an algorithm for generating the key pair. It is recommended to select an algorithm supported by the target web service.

Passkey Message Editor

View and edit decoded Passkey data directly within HTTP requests.

  • Passkey Registration Request: View decoded registration data.
  • Passkey Authentication Request: View decoded authentication data.

Author

 Author

Siam Thanat Hack

Version

 Version

1.0.2

Rating

 Rating

Popularity

 Popularity

Last updated

 Last updated

25 July 2025

Estimated system impact

 Estimated system impact

Overall impact: Empty

Memory
Empty
CPU
Empty
General
Empty
Scanner
Empty

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for all BApp Store extensions on our GitHub page.

Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore

Note:

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.